W32.Sasser.G
Home Up About Us Virus Definitions Buy Anti Virus Software Site Map

Up ] About Us ] Virus Definitions ] Buy Anti Virus Software ] Site Map ]

 

W32.Sasser.G

Discovered on: June 10, 2004

Description:  W32.Sasser.G is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly selected IP addresses for vulnerable systems. The worm's function is identical to that of W32.Sasser.E.Worm, but W32.Sasser.G contains an extra PE file section, which is 1 byte in size and appears to have no function. W32.Sasser.G differs from W32.Sasser.Worm as follows:

bulletUses a different mutex: SkynetNotice.
bulletUses a different file name: lsasss.exe.
bulletCreates a different value in the registry: "lsasss.exe"
bulletUses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
bulletAfter 2 hours of running it displays a message.
bulletIt deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
bulletThe name of the file retrieved from the FTP server is followed by _update.exe.
bulletThe worm logs data into the file C:\ftplog.txt.
bulletHas an updated routine for finding vulnerable computers. W32.Sasser.G sends an ICMP echo request before attempting to make a connection. This change may prevent the worm from properly executing on Windows 2000 systems.

W32.Sasser.G can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable computers.

Removal Instructions For Symantec & Norton Users:

Before you begin:
If you are running Windows 2000 or XP, and have not yet done so, you must patch for the vulnerability described in Microsoft Security Bulletin MS04-011. If you do not, it is likely that your computer will continue to be reinfected.

What to do if the computer shuts down before you can patch or get the tool
This threat can cause Windows to keep shutting down and restarting. This can prevent you from installing the Microsoft patch or downloading the tool described below. Notes:
bulletYou may have to try this several times, as you only have about 20 seconds to do steps 3 to 6.
bulletThis will not work on Windows 2000.

To prevent the shut down, do the following:

  1. Disconnect the computer from the network/Internet connection. (Disconnect the cable if necessary.)
  2. Restart the computer.
  3. As soon as Windows opens and you see the Windows desktop, click Start > Run.
  4. Type:

    cmd

    and press Enter.

  5. Type:

    shutdown -i

    and press Enter.

  6. In the Remote Shutdown Dialog that opens, do the following:
    1. Click Add, type your computer name into the Add Computers dialog box, and then click OK.
    2. In the "Display warning for" field, type 9999.
    3. Type the following text in the Comment box:

      Delay Lsass.exe shutdown.

    4. Click OK.

  7. Reconnect the network/Internet connection.
  8. Connect to the Internet, and get the patch. Then continue with the steps described below.

When you have patched your computer and removed the threat, you can re-enable the 20 second default warning if you wish.


Removal using the W32.Sasser Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.G. Use this tool first, as it is the easiest way to remove this threat.

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. End the malicious process (Windows 2000/XP).
  2. Disable System Restore (Windows XP).
  3. Update the virus definitions.
  4. Run a full system scan and delete all the files detected as W32.Sasser.G.
  5. Reverse the change made to the registry.

For details on each of these steps, read the following instructions.

1. To end the malicious process
On Windows 2000/XP computers, you must first end the malicious process:
  1. Press Ctrl+Alt+Delete once.
  2. Click Task Manager.
  3. Click the Processes tab.
  4. Double-click the Image Name column header to alphabetically sort the processes.
  5. Scroll through the list and look for the following processes:
    bulletlsasss.exe
    bulletany process with a name consisting of four or five digits, followed by _upload.exe (eg 74354_upload.exe).
  6. If you find any such process, click it, and then click End Process.
  7. Exit the Task Manager.

Mcafee update

 		  

 

Our Staff Recommends
VirusAlert_mydoom_125x125_2

 

Alternative Option:
The Shield Pro

The Shield Pro Protect from viruses, hackers, and privacy threats. Powerful yet easy to use.


Top Ranked Software for Anti-Virus, Spyware, Firewall, Adware Remover and everything else for software.

I Warned You - Software and Computer Protection

SYMANTEC Norton AntiVirus 2005  Windows

 

 


HIGH VIRUS ALERT - 'Sobig' Worm - best anti-virus software download

Make sure you have the best Anti Virus protection for your computer. We suggest you consider buying the new Norton Anti-Virus Software 2005. The most trusted name for computer anti viruses  

SYMANTEC Norton AntiVirus 2005

Get your McAfee SpamKiller

Where can I get the latest Anti-Virus software? at Free Anti Virus Scans dot com

McAfee Anti Virus For Sale

About Us ] Virus Definitions ] Virus List ] Buy Anti Virus Software ] Site Map ]